Reputation: 529
In our organization, we have configured an Access Policy with a scope for a GCP folder.
Here are the details of our configuration:
Access Policy:
accessPolicies/XXXXX
Access Level:
accessLevels/Access_Level_Restriction
VPC Service Perimeter in Dry Run mode:
servicePerimeters/vpc_perimeter
Access_Level_Restriction
)We have enabled the VPC SC / WIF feature for our organization.
Issue Encountered:
When connected via Workforce Identity Federation (WIF) or Cloud Identity, I can access Compute Engine to list instances in the GCP project project_id
. However, when filtering logs with log_id("cloudaudit.googleapis.com/policy") AND severity="error" AND protoPayload.metadata.dryRun="true"
, I receive VPC Service Controls errors in Dry Run mode stating:
(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: XXXXXXX
Error Details:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog [invalid URL removed]",
"status": {
"code": 7,
"message": "(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: XXXXXXX",
"details":
{
"@type": "[type.googleapis.com/google.rpc.PreconditionFailure [invalid URL removed]",
"violations": [
{
"type": "VPC_SERVICE_CONTROLS",
"description": "XXXXXXX"
}
]
}
]
},
"authenticationInfo": {
"principalEmail": "anonymized_email@domain.com"
},
"requestMetadata": {
"callerIp": "MY_IPV4",
"requestAttributes": {},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "compute.beta.ProjectsService.Get",
"resourceName": "projects/XXXXXXXXX",
"metadata": {
"deviceState": "Unknown",
"ingressViolations": [
{
"servicePerimeter": "accessPolicies/XXXXX/servicePerimeters/vpc_perimeter",
"targetResource": "projects/XXXXXXXXX"
}
],
"intermediateServices": [
"cloudclient-pa.googleapis.com"
],
"securityPolicyInfo": {
"organizationId": "XXXXXXXXX",
"servicePerimeterName": "accessPolicies/XXXXX/servicePerimeters/vpc_perimeter"
},
"vpcServiceControlsUniqueId": "XXXXXXX",
"@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata [invalid URL removed]",
"dryRun": true,
"resourceNames": [
"project_id"
],
"violationReason": "NO_MATCHING_ACCESS_LEVEL"
}
},
"insertId": "XXXXXXXXX",
"resource": {
"type": "audited_resource",
"labels": {
"method": "compute.beta.ProjectsService.Get",
"service": "compute.googleapis.com",
"project_id": "project_id"
}
}
Questions:
Upvotes: 0
Views: 387
Reputation: 552
Why does this error appear even though the IP is authorized in the ingress policy?
This should be connected on group policy to allow explicitly the access level, link
Is it necessary to explicitly add the access level in the service perimeter despite the configuration via the ingress policy?
It is recommended to explicitly add the access level in service parameter as described in this link
Upvotes: 0